FaceNiff makes Facebook hacking on Android too easy

This site may earn affiliate commissions from the links on this page. Terms of use.

Before you connect to that open public Wi-Fi network and log in to Facebook, you should know there’s a new app on the loose that makes it easy for a user to sniff traffic from your computer and intercept authentication tokens or credentials sent in the clear. The app is called FaceNiff, and it’ll run on any rooted Android device.

FaceNiff essentially turns your Android phone into a packet sniffer, and when the app detects Facebook traffic from another device on the same wireless network, it’ll snag as much information from the connection as possible–including your login information. Facebook isn’t the only service that FaceNiff can exploit–the app also allows users to intercept Twitter, YouTube, and Amazon credentials.

The app is remarkably similar to Firesheep, a Firefox add-on that allowed unscrupulous users to do the same thing. FaceNiff has a leg up on Firesheep though, since the app runs on Android phones, doesn’t require any real customization to run, and even supports WPA encrypted wireless networks, as long as you’re already on the network.

The fix for most people is to enable HTTPS for every service where it’s available. Twitter and Facebook already allow you to set HTTPS as the default connection method for your authentication and all of your traffic, and other services are slowly coming around to it as well.

If you want to take your safety a step further, you can either protect your internet connection when you use public Wi-Fi at a coffee shop or airport with a VPN, either to your office or school or a free service like Hotspot Shield or Hamachi. Alternatively, you can just not connect to public wireless networks and tether to your phone or use your wireless carrier’s connectivity options instead.

Regardless of what you do, make sure to do something: with apps like Firesheep and FaceNiff in the wild, its easier than ever for someone who’s either malicious or just curious to walk away with access to your Facebook or Twitter account.